XP Defender

[ron22]

I am currently running Avira anti virus. It has let XP Defender install twice on my computer. I used Malwarebytes to remove it.
What I am looking for is something to install that will prevent this from happening again.
Any suggestions?

 

[RJM62]

That one seems pretty stealthy. I've taken it off machines with up-to-date versions of Avast and McAfee, too.

I've had good luck in general with Comodo, although I haven't tried to deliberately infect it with XP Defender. Or maybe try the paid version of MBAM. My friend Rob (also in the business) swears by it.

-Rich

 

[Let'sgoflying!]

I think this is related

 

[RJM62]

I think this is related

Yeah, they're all pretty much related.

XP Defender is pretty stubborn and almost immediately installs a rootkit in System32/drivers/ . The driver is loaded even in Safe Mode and prevents most security tools from installing / loading / running. Waiting a few hours to a day with the machine shut off usually gives ComboFix a chance to update and recognize it.

Otherwise I slave the drive to my laptop, delete the rootkit files and other assorted garbage, and scan the drive, usually in Linux.

What I found odd was that the last XP Defender infection I removed wouldn't let me boot into ERD, which I'm still puzzling over. Usually I boot into ERD first and manually delete the obvious garbage, as well as empty out all the temp folders, etc. But this time ERD never got past the first screen ("Setup is inspecting your hardware Configuration"). I know ERD is Windows-based and some malware can crash it, but at that point ERD didn't even have a chance to load. I'm still scratching my head over it. The machine booted into Knoppix from the CD drive, but not into either of the two ERD disks I tried.

Getting rid of this crap used to be a lot of fun for me, but I'm really starting to get tired of it.

-Rich